Who needs a Data Protection Officer (DPO)?

Home/POPI and Data Protection/Who needs a Data Protection Officer (DPO)?

What is the legal requirement under the GDPR for a Data Protection Officer (or DPO)? The European Parliament recently adopted the General Data Protection Regulation (GDPR). The question is: What are some of its implications for those that either do business in Europe or have dealings with the personal information of European citizens? One answer to that question is that if the GDPR applies to your business, a Data Protection Officer is a key position to think about.

What is a Data Protection Officer (or DPO)?

Controllers and processors of data, in terms of the GDPR, appoint a Data Protection Officer (or DPO) to help them comply with data protection law. Once appointed, the officer looks into the risks that data processing can expose a business to.  The officer helps the business in their attempts to avoid those risks. Basically, the officer is the link between the public (including other businesses that you may work with) and your business, when it comes to the processing of personal information. This means that the public can direct their data protection queries to this officer. The officer will then report directly to management, and must be given all resources necessary to carry out their functions.

Who needs a Data Protection Officer?

The GDPR is very clear on the organisations that require a Data Protection Officer. Organisations that:

  • have core operations which include the processing of data through mass systematic and regular monitoring of data subjects; or
  • process the special personal information (race, ethnicity, and biometric data) of data subjects on a large scale,

have to appoint a Data Protection Officer.

The GDPR does NOT require every controller and processor to appoint a Data Protection Officer.

A private body does not have to appoint one if:

  • its main activities only seldom involve monitoring data subjects and with little infringement on those data subjects’ rights,
  • it does not process special personal information at all, or
  • is only processing the special personal information of a small group of data subjects.

It is also possible, however, for organisations in a group structure to come together and appoint one even when the GDPR doesn’t require them to do so. But the Article 29 Working Party Guidelines on Data Protection recommend that where it isn’t entirely obvious whether or not the GDPR requires them to have a Data Protection Officer, the organisations follow and document a step-by-step analysis of why they think they do not have to make the appointment. For the whole discussion from the Article 29 Working Party on Data Protection, read the guidelines they adopted on the 13th of December 2016.

Actions you can take now